File name:

Keygen.exe

Full analysis: https://app.any.run/tasks/f155752e-9f62-4728-9ee3-dd49e13ac7c5
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 10, 2024, 09:55:36
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
opendir
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

70BE645013BB40472981B510FEF40341

SHA1:

9DC8263E05CC334D6A02A5E0A775CE4C363BD820

SHA256:

1C36851144C0AE74FDB8E794D2BBEED1645CF575AEABF4D5C2BE732E5FFF1069

SSDEEP:

24576:K4Qs8KjMLjgHC1hBd7+NBwb9L1QBkKyPntuigNttd7J:K4QsDj9iRQE9xukF8ig

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • nchsetup.exe (PID: 320)

    • Modifies hosts file to block updates

      • Keygen.exe (PID: 6452)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • Keygen.exe (PID: 6452)
      • designsetup.exe (PID: 2212)
      • zlib1v3.exe (PID: 460)
      • infozip3.exe (PID: 2384)
      • nchsetup.exe (PID: 320)
      • ppadsetup.exe (PID: 5068)
      • dreamplan.exe (PID: 1884)
      • pstagesetup.exe (PID: 1716)
      • nchsetup.exe (PID: 7092)
      • nchsetup.exe (PID: 4276)
      • vpsetup.exe (PID: 6372)
      • nchsetup.exe (PID: 6244)
      • mp3el2.exe (PID: 5072)
      • ffmpeg23.exe (PID: 460)
      • drawpadsetup.exe (PID: 3672)
      • nchsetup.exe (PID: 6780)

    • Reads security settings of Internet Explorer

      • designsetup.exe (PID: 2212)
      • nchsetup.exe (PID: 320)
      • dreamplan.exe (PID: 1884)
      • ppadsetup.exe (PID: 5068)
      • nchsetup.exe (PID: 7092)
      • pstagesetup.exe (PID: 1716)
      • nchsetup.exe (PID: 4276)
      • vpsetup.exe (PID: 6372)
      • nchsetup.exe (PID: 6244)
      • drawpadsetup.exe (PID: 3672)
      • nchsetup.exe (PID: 6780)
      • dreamplan.exe (PID: 3848)

    • There is functionality for taking screenshot (YARA)

      • Keygen.exe (PID: 6452)

    • Executable content was dropped or overwritten

      • designsetup.exe (PID: 2212)
      • zlib1v3.exe (PID: 460)
      • nchsetup.exe (PID: 320)
      • infozip3.exe (PID: 2384)
      • ppadsetup.exe (PID: 5068)
      • dreamplan.exe (PID: 1884)
      • pstagesetup.exe (PID: 1716)
      • nchsetup.exe (PID: 7092)
      • nchsetup.exe (PID: 4276)
      • vpsetup.exe (PID: 6372)
      • nchsetup.exe (PID: 6244)
      • mp3el2.exe (PID: 5072)
      • ffmpeg23.exe (PID: 460)
      • drawpadsetup.exe (PID: 3672)
      • nchsetup.exe (PID: 6780)

    • Reads the date of Windows installation

      • designsetup.exe (PID: 2212)
      • nchsetup.exe (PID: 320)
      • dreamplan.exe (PID: 1884)
      • ppadsetup.exe (PID: 5068)
      • pstagesetup.exe (PID: 1716)
      • vpsetup.exe (PID: 6372)
      • nchsetup.exe (PID: 6244)
      • drawpadsetup.exe (PID: 3672)

    • Creates a software uninstall entry

      • nchsetup.exe (PID: 320)
      • nchsetup.exe (PID: 7092)
      • nchsetup.exe (PID: 4276)
      • nchsetup.exe (PID: 6244)
      • nchsetup.exe (PID: 6780)

    • Searches for installed software

      • nchsetup.exe (PID: 320)
      • nchsetup.exe (PID: 7092)
      • nchsetup.exe (PID: 4276)
      • nchsetup.exe (PID: 6244)
      • nchsetup.exe (PID: 6780)

    • Starts itself from another location

      • nchsetup.exe (PID: 320)
      • nchsetup.exe (PID: 7092)
      • nchsetup.exe (PID: 4276)
      • nchsetup.exe (PID: 6244)
      • nchsetup.exe (PID: 6780)

    • Checks Windows Trust Settings

      • nchsetup.exe (PID: 320)
      • nchsetup.exe (PID: 7092)
      • nchsetup.exe (PID: 4276)
      • nchsetup.exe (PID: 6244)
      • nchsetup.exe (PID: 6780)

    • Potential Corporate Privacy Violation

      • dreamplan.exe (PID: 1884)
      • nchsetup.exe (PID: 6244)

    • Process requests binary or script from the Internet

      • dreamplan.exe (PID: 1884)
      • nchsetup.exe (PID: 6244)

  • INFO

    • Checks supported languages

      • Keygen.exe (PID: 6452)
      • nchsetup.exe (PID: 320)
      • zlib1v3.exe (PID: 460)
      • infozip3.exe (PID: 2384)
      • designsetup.exe (PID: 2212)
      • dreamplan.exe (PID: 1884)
      • dreamplan.exe (PID: 1692)
      • dreamplan.exe (PID: 3848)
      • ppadsetup.exe (PID: 5068)
      • nchsetup.exe (PID: 7092)
      • photopad.exe (PID: 2088)
      • pstagesetup.exe (PID: 1716)
      • nchsetup.exe (PID: 4276)
      • photostage.exe (PID: 4168)
      • vpsetup.exe (PID: 6372)
      • nchsetup.exe (PID: 6244)
      • mp3el2.exe (PID: 5072)
      • ffmpeg23.exe (PID: 460)
      • drawpadsetup.exe (PID: 3672)
      • videopad.exe (PID: 3568)
      • nchsetup.exe (PID: 6780)
      • drawpad.exe (PID: 6896)
      • TextInputHost.exe (PID: 6732)
      • identity_helper.exe (PID: 6440)
      • dreamplan.exe (PID: 4644)

    • Reads the computer name

      • Keygen.exe (PID: 6452)
      • designsetup.exe (PID: 2212)
      • nchsetup.exe (PID: 320)
      • dreamplan.exe (PID: 1884)
      • dreamplan.exe (PID: 3848)
      • dreamplan.exe (PID: 1692)
      • ppadsetup.exe (PID: 5068)
      • photopad.exe (PID: 2088)
      • pstagesetup.exe (PID: 1716)
      • nchsetup.exe (PID: 7092)
      • nchsetup.exe (PID: 4276)
      • photostage.exe (PID: 4168)
      • vpsetup.exe (PID: 6372)
      • nchsetup.exe (PID: 6244)
      • videopad.exe (PID: 3568)
      • drawpadsetup.exe (PID: 3672)
      • nchsetup.exe (PID: 6780)
      • drawpad.exe (PID: 6896)
      • identity_helper.exe (PID: 6440)
      • TextInputHost.exe (PID: 6732)
      • dreamplan.exe (PID: 4644)

    • Manual execution by a user

      • designsetup.exe (PID: 3700)
      • designsetup.exe (PID: 2212)
      • dreamplan.exe (PID: 4644)

    • Create files in a temporary directory

      • designsetup.exe (PID: 2212)
      • zlib1v3.exe (PID: 460)
      • infozip3.exe (PID: 2384)
      • dreamplan.exe (PID: 3848)
      • ppadsetup.exe (PID: 5068)
      • dreamplan.exe (PID: 1884)
      • pstagesetup.exe (PID: 1716)
      • vpsetup.exe (PID: 6372)
      • mp3el2.exe (PID: 5072)
      • nchsetup.exe (PID: 6244)
      • drawpadsetup.exe (PID: 3672)
      • ffmpeg23.exe (PID: 460)

    • Process checks computer location settings

      • designsetup.exe (PID: 2212)
      • nchsetup.exe (PID: 320)
      • dreamplan.exe (PID: 1884)
      • ppadsetup.exe (PID: 5068)
      • pstagesetup.exe (PID: 1716)
      • vpsetup.exe (PID: 6372)
      • nchsetup.exe (PID: 6244)
      • drawpadsetup.exe (PID: 3672)

    • Creates files in the program directory

      • zlib1v3.exe (PID: 460)
      • infozip3.exe (PID: 2384)
      • nchsetup.exe (PID: 320)
      • dreamplan.exe (PID: 3848)
      • nchsetup.exe (PID: 7092)
      • nchsetup.exe (PID: 4276)
      • nchsetup.exe (PID: 6244)
      • mp3el2.exe (PID: 5072)
      • ffmpeg23.exe (PID: 460)
      • nchsetup.exe (PID: 6780)

    • Reads the machine GUID from the registry

      • nchsetup.exe (PID: 320)
      • nchsetup.exe (PID: 7092)
      • nchsetup.exe (PID: 4276)
      • nchsetup.exe (PID: 6244)
      • nchsetup.exe (PID: 6780)

    • Reads the software policy settings

      • nchsetup.exe (PID: 320)
      • nchsetup.exe (PID: 7092)
      • nchsetup.exe (PID: 4276)
      • nchsetup.exe (PID: 6244)
      • nchsetup.exe (PID: 6780)

    • Reads Microsoft Office registry keys

      • nchsetup.exe (PID: 320)
      • nchsetup.exe (PID: 7092)
      • nchsetup.exe (PID: 4276)
      • nchsetup.exe (PID: 6244)
      • nchsetup.exe (PID: 6780)
      • dreamplan.exe (PID: 3848)
      • msedge.exe (PID: 5116)
      • msedge.exe (PID: 6736)

    • Creates files or folders in the user directory

      • dreamplan.exe (PID: 3848)
      • nchsetup.exe (PID: 6244)

    • Checks proxy server information

      • nchsetup.exe (PID: 6780)

    • Application launched itself

      • msedge.exe (PID: 5116)
      • msedge.exe (PID: 6736)

    • Reads Environment values

      • identity_helper.exe (PID: 6440)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (38.3)
.exe | Win32 Executable (generic) (26.2)
.exe | Win16/32 Executable Delphi generic (12)
.exe | Generic Win/DOS Executable (11.6)
.exe | DOS Executable Generic (11.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:10:02 00:43:11+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 1110016
InitializedDataSize: 45056
UninitializedDataSize: 1163264
EntryPoint: 0x22a700
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.9.0.0
ProductVersionNumber: 1.9.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: RadiXX11
FileDescription: NCH Software Keygen
FileVersion: 1.9.0.0
InternalName: Keygen.exe
LegalCopyright: © 2021, RadiXX11
LegalTrademarks: -
OriginalFileName: Keygen.exe
ProductName: NCH Software Keygen
ProductVersion: 1.9.0.0
Comments: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
198
Monitored processes
56
Malicious processes
12
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT keygen.exe designsetup.exe no specs designsetup.exe nchsetup.exe zlib1v3.exe infozip3.exe dreamplan.exe dreamplan.exe dreamplan.exe no specs ppadsetup.exe nchsetup.exe photopad.exe no specs pstagesetup.exe nchsetup.exe photostage.exe no specs vpsetup.exe nchsetup.exe mp3el2.exe ffmpeg23.exe videopad.exe no specs drawpadsetup.exe nchsetup.exe drawpad.exe no specs dreamplan.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs textinputhost.exe no specs msedge.exe no specs keygen.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
320"C:\Users\admin\AppData\Local\Temp\n1s\nchsetup.exe" -installer "C:\Users\admin\Desktop\designsetup.exe" -instdata "C:\Users\admin\AppData\Local\Temp\n1s\nchdata.dat"C:\Users\admin\AppData\Local\Temp\n1s\nchsetup.exe
designsetup.exe
User:
admin
Company:
NCH Software
Integrity Level:
HIGH
Description:
DreamPlan Home Design Software
Exit code:
0
Version:
9.19
Modules
Images
c:\users\admin\appdata\local\temp\n1s\nchsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
320"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2360 --field-trial-handle=2368,i,7326057953531090895,5565342712985259964,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
460"C:\Program Files (x86)\NCH Software\DreamPlan\zlib1v3.exe" -LQUIET -instby fiDreamPlan -instsvar DREAMPLANRelatedprogramsfreeonDREAMPLANDarkv2onC:\Program Files (x86)\NCH Software\DreamPlan\zlib1v3.exe
nchsetup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files (x86)\nch software\dreamplan\zlib1v3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
460"C:\Users\admin\AppData\Local\Temp\VideoPad-300-1\ffmpeg23.exe" -LQUIET -instby coVideoPadC:\Users\admin\AppData\Local\Temp\VideoPad-300-1\ffmpeg23.exe
nchsetup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\videopad-300-1\ffmpeg23.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1556"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2376 --field-trial-handle=2380,i,7415000819669704677,5761151665993863071,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1692"C:\Program Files (x86)\NCH Software\DreamPlan\dreamplan.exe" -installschedC:\Program Files (x86)\NCH Software\DreamPlan\dreamplan.exenchsetup.exe
User:
admin
Company:
NCH Software
Integrity Level:
MEDIUM
Description:
DreamPlan Home Design Software
Exit code:
0
Version:
9.19
Modules
Images
c:\program files (x86)\nch software\dreamplan\dreamplan.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1716"C:\Users\admin\AppData\Local\Temp\DreamPlan-6684-1\pstagesetup.exe" -LQUIET -instby rpDreamPlan -instsvar DREAMPLANRelatedprogramsfreeonDREAMPLANDarkv2onLLIBInstquickonLLIBControlonDREAMPLANRecentbttmonDREAMPLANSearchbarv2offDREAMPLANSofttbsoffM5lqDa2wDREAMPLANPaintcalculatoroffSturKHJkNJNxVn4fFVLkDREAMPLANAdvancedfloorv2offDREAMPLANOverheadviewoffDREAMPLANIsometricviewonDREAMPLANNew3dguicolorsonDafcGSspUesiDREAMPLANNewcolortexturepickeronBoedDREAMPLANStairwallstyleandcoloronDREAMPLANWallpaintregionsonLgprX2vtFasmR0llPcihC:\Users\admin\AppData\Local\Temp\DreamPlan-6684-1\pstagesetup.exe
dreamplan.exe
User:
admin
Company:
NCH Software
Integrity Level:
HIGH
Description:
PhotoStage Slideshow Producer
Exit code:
0
Version:
11.43+
Modules
Images
c:\users\admin\appdata\local\temp\dreamplan-6684-1\pstagesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\setupapi.dll
1884"C:\Program Files (x86)\NCH Software\DreamPlan\dreamplan.exe" -installrelated fC:\Program Files (x86)\NCH Software\DreamPlan\dreamplan.exe
nchsetup.exe
User:
admin
Company:
NCH Software
Integrity Level:
HIGH
Description:
DreamPlan Home Design Software
Exit code:
0
Version:
9.19
Modules
Images
c:\program files (x86)\nch software\dreamplan\dreamplan.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2088"C:\Program Files (x86)\NCH Software\PhotoPad\photopad.exe" -installschedC:\Program Files (x86)\NCH Software\PhotoPad\photopad.exenchsetup.exe
User:
admin
Company:
NCH Software
Integrity Level:
MEDIUM
Description:
PhotoPad Image Editor
Exit code:
0
Version:
13.41+
Modules
Images
c:\program files (x86)\nch software\photopad\photopad.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\user32.dll
2136"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4128 --field-trial-handle=2380,i,7415000819669704677,5761151665993863071,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
77 546
Read events
74 472
Write events
2 940
Delete events
134

Modification events

(PID) Process:(2212) designsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2212) designsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2212) designsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2212) designsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(320) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:DreamPlanInstall
Value:
C:\Users\admin\Desktop\designsetup.exe
(PID) Process:(320) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\NCH Software\DreamPlan\Software
Operation:writeName:SVar
Value:
DREAMPLANRelatedprogramsfreeon
(PID) Process:(320) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\NCH Software\DreamPlan\Software
Operation:writeName:SVar
Value:
DREAMPLANRelatedprogramsfreeonDREAMPLANDarkv2on
(PID) Process:(320) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\NCH Software\DreamPlan\Settings
Operation:writeName:InstalledByAdmin
Value:
1
(PID) Process:(320) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\NCH Software\DreamPlan\UsageStatsChoice
Operation:writeName:llinad
Value:
1
(PID) Process:(320) nchsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
46
Suspicious files
241
Text files
159
Unknown types
38

Dropped files

PID
Process
Filename
Type
2212designsetup.exeC:\Users\admin\AppData\Local\Temp\n1s\nchsetup.cabcompressed
MD5:F570F7CE82E2C62437D9476CF9740424
SHA256:3F3C20FFC59189419A98A79309EA0D3CB4C8DFD73B23AC42DB4C5E9D73DB8DCD
2212designsetup.exeC:\Users\admin\AppData\Local\Temp\n1s\nchdata.datexecutable
MD5:FB51AB09763C048B1418EBD1800BF4B4
SHA256:0EF55B6A24DAE285EC4FEFB60529F03F2B0317FC47ECB7EE8EC2324EB317E172
320nchsetup.exeC:\Program Files (x86)\NCH Software\DreamPlan\shellmenub.msixcompressed
MD5:CAF0E9FA3575934D0B405F8966944DDB
SHA256:923716C343CEC0DF7A43CBC50FBC921E58C9C8201A94DBC3BD9FC8E38A8339AC
320nchsetup.exeC:\ProgramData\NCH Software\DreamPlan\engine\cap2.3dnbinary
MD5:BCFDD78CBB0FC907EB01B06392B5B164
SHA256:C9B79B56B336D141DE6E8DF1DB0189F46665CA148F347AAE55CDD0907AE997CD
320nchsetup.exeC:\ProgramData\NCH Software\DreamPlan\engine\arrow.3dnbinary
MD5:01DBD8A3C523D80FD55FFE4B9B9E03D9
SHA256:C441051874C7F630544AB018939FF3AB0065AB6549D288411E8221022676FDEB
2212designsetup.exeC:\Users\admin\AppData\Local\Temp\n1s\nchsetup.exeexecutable
MD5:85529F888D2C01CFCCC491A001A479CA
SHA256:6AFC5154FFCAA2B1274B2AC5D11F53D79E9B6817C997AFF778A0CA1B71E16F5D
320nchsetup.exeC:\Program Files (x86)\NCH Software\DreamPlan\dreamplan.exeexecutable
MD5:85529F888D2C01CFCCC491A001A479CA
SHA256:6AFC5154FFCAA2B1274B2AC5D11F53D79E9B6817C997AFF778A0CA1B71E16F5D
2212designsetup.exeC:\Users\admin\AppData\Local\Temp\n1s\nchdata.cabcompressed
MD5:8D6E7AF2B9A38A70F56B9D78D73E3452
SHA256:151591AA29E3A823F6FDDC0D478C703DE0AC3CD2DFFC68F0D4D09CE6F8EBB4AE
320nchsetup.exeC:\ProgramData\NCH Software\DreamPlan\engine\line.3dnbinary
MD5:75B2F949E8A01190D7558A6186FDD139
SHA256:B89479D33237EB0979B1752CD82FE4B71956CF58A498A46B9C9B020669365B6B
320nchsetup.exeC:\ProgramData\NCH Software\DreamPlan\engine\stylusMiddle.3dnbinary
MD5:B57EFDA6B69E607E2B67035C83FA13CF
SHA256:FACF1251514089D0187EB4239D70BAFC1F589A4CC675923C24142E612ABFBC4E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
78
DNS requests
49
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3160
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3160
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6772
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6824
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
1884
dreamplan.exe
GET
200
66.39.83.117:80
http://audiochannel.net/components/pstagesetup.exe
unknown
whitelisted
3848
dreamplan.exe
GET
200
173.247.250.125:80
http://www.audiochannel.net/stock/dreamplan/textures/textures.csv
unknown
whitelisted
1884
dreamplan.exe
GET
200
66.39.83.117:80
http://audiochannel.net/components/ppadsetup.exe
unknown
whitelisted
3848
dreamplan.exe
GET
200
173.247.250.125:80
http://www.audiochannel.net/stock/dreamplan/dod/newobjects.db
unknown
whitelisted
5144
svchost.exe
HEAD
200
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/33e302ae-0503-41fc-a6ac-ee24bf37f8fc?P1=1723659548&P2=404&P3=2&P4=V3Sg0hxwOOcBXn2S%2bjUUFlZGXvWyxC7sLXNby3uKvQ3RPjMyehn3uML0SXumvq%2fh2OIeYcuYoC4U6BWzi4AnQg%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
svchost.exe
239.255.255.250:1900
whitelisted
5028
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
4016
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
whitelisted
5028
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5336
SearchApp.exe
2.23.209.149:443
www.bing.com
Akamai International B.V.
GB
unknown
3260
svchost.exe
20.198.162.78:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
SG
unknown
5336
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.78
  • 172.217.18.14
whitelisted
www.bing.com
  • 2.23.209.149
  • 2.23.209.158
  • 2.23.209.150
  • 2.23.209.143
  • 2.23.209.148
  • 2.23.209.144
  • 2.23.209.154
  • 2.23.209.160
  • 2.23.209.156
  • 104.126.37.161
  • 104.126.37.139
  • 104.126.37.162
  • 104.126.37.130
  • 104.126.37.163
  • 104.126.37.128
  • 104.126.37.170
  • 104.126.37.186
  • 104.126.37.171
  • 2.23.209.177
  • 2.23.209.182
  • 2.23.209.183
  • 2.23.209.187
  • 2.23.209.173
  • 2.23.209.175
  • 2.23.209.179
  • 2.23.209.176
  • 2.23.209.181
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 20.198.162.78
whitelisted
login.live.com
  • 40.126.32.138
  • 20.190.160.14
  • 20.190.160.20
  • 20.190.160.17
  • 20.190.160.22
  • 40.126.32.68
  • 40.126.32.140
  • 40.126.32.72
whitelisted
th.bing.com
  • 2.23.209.173
  • 2.23.209.179
  • 2.23.209.187
  • 2.23.209.183
  • 2.23.209.181
  • 2.23.209.176
  • 2.23.209.189
  • 2.23.209.175
  • 2.23.209.185
whitelisted
fd.api.iris.microsoft.com
  • 20.223.36.55
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 40.127.169.103
whitelisted

Threats

PID
Process
Class
Message
1884
dreamplan.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1884
dreamplan.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
1884
dreamplan.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1884
dreamplan.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
1884
dreamplan.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1884
dreamplan.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
6244
nchsetup.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
6244
nchsetup.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
1884
dreamplan.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1884
dreamplan.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Keygen.exe